Q&A: Andy Buchanan gives a detailed insight into the evolving threat that is ransomware – and why you should NEVER pay up if attacked.
EB: Just how at risk are organisations from ransomware?
AB: Ransomware isn’t a new threat, but it’s execution over the last year or so has been cunning and is key to why its risen to prominence. By cleverly selecting targets, such as big US-based hospitals that depend on data to treat patients, they have assured themselves of two things – that the ransom will be paid and some pretty meaty headlines.
Organisations of all shapes and sizes are at risk from ransomware, but not necessarily more than any other form of cyber-attack. The key challenge with ransomware is that there isn’t any guaranteed way to prevent it. That’s what makes it so scary for companies.
EB: Which organisations are the most at risk and why?
AB: Hospitals are part of the UK’s national critical infrastructure, meaning they are prime targets for criminals who want to cause maximum disruption to get what they want. Unlike banks or businesses where the data held ransom is, say financial, information taken from hospitals is literally a matter of life and death, meaning that ransom payments are going to be paid more often than not. Despite this focus, a recent report found that ransomware is behind 42% of all UK business security breaches.
Increasingly though, hackers will diversify their targets – after all it is thought that more than 120 families of ransomware now exist; a figure that is only set to grow thanks to the appearance of freely available source code for ransomware. It’s attractive to hackers because, let’s face it, the return on investment is exceptionally high.
We’ve already seen the profile of businesses being targeted widen, from smaller companies through to the public sector and education (the University of Calgary recently paid $20,000 to hackers) and I see no reason why that won’t continue. With GDPR looming large on the horizon, this has become an even more of a pressing concern as the financial penalties associated with breaches will increase exponentially.
EB: What trends and tactics are currently being seen in ransomware attacks? Is the threat itself evolving?
AB: Renowned UK security blogger Graham Cluely summed up the current state of affairs succinctly, saying “the alarming torrent of crypto-ransomware attacks is showing no signs of slowing down”. And he’s not wrong. From the appearance of source code, ransomware-for-hire / ransomware as-a-service, bitcoin ransoms and crypto ransomware it’s become a genre of cyber-attack that has become impossible to predict as it expands.
EB: Should a company ever pay the ransom?
AB: Last year the FBI were quoted saying that in many cases the ransom should simply be paid. However, they have overruled that in 2016 and now say that in no circumstances should you pay to regain access to your information. This is good advice for two reasons: firstly, there is no guarantee that you are going to get access to your data back, or, in the case that you do, the data could be compromised. The saying goes that there is no honour among thieves, and data held to ransom could well have been corrupted during the process, or backdoors left within it so hackers can regain access into your network at their leisure.
Secondly, it is impossible to know what you may be funding by paying the required money. By sending across the funds, you could be fuelling further attacks against yourself, other innocent parties, or any other kind of illicit activity the attackers are also a part of. Contacting the relevant authorities and trying to shut down the attack should always be an individual or organisation’s first port of call.
EB: How can ransomware be detected and avoided from a technology standpoint?
AB: There is a variety of systems that can be put in place in order to detect and avoid attackers. These fall under the umbrella of context-aware solutions based on what positions and rights employees hold within the organisation for access and their physical context at the point of access (for example their device, location, network, time of day).
By being aware of what applications within the network an employee needs and then allowing access based on this combination of information, organisations can narrow down the culprit for any attacks that have taken place, and also ensure that a potential threat does not have access to the entirety of the company’s infrastructure. Whitelisting and blacklisting of applications is a good way to minimise rogue or malicious software from entering into the network and flag up when the attempted installation of one of these has occurred.
Another proven tactic is adding in self-service capability to your network. By doing this, you can ensure that whitelisted applications can be automated and selected by employees, so they can easily find the solutions that they need. This minimises the chances of employees creating an IT shadow – where they download an unapproved application, meaning that you don’t have full overview of the network, leading to a vulnerability being created.
Additionally, automating the onboarding and offboarding of employees can ensure that the amount of access points available for an insider attack is kept to a minimum. Techniques such as access control, encryption and user monitoring will also help deter potential insider threats from a technological standpoint.
EB: You mentioned employees, how serious is the threat posed by the human weak-link?
AB: The top priority for a company concerned about ransomware is its users. Cyber criminals understand the environment they are attacking, and that employees are often the weak link. Using phishing campaigns, workers can be tricked into clicking insidious emails. Imagine receiving an attachment from your CEO labelled urgent – not many of us would ignore it! Therefore, companies have a duty not to place blame, but to educate their staff.
Awareness courses should be run regularly and informative educational materials distributed that outline how to spot a phishing email, what to do when you are unsure and who to alert if an employee believes an email or any other such documentation is dangerous. This way, if a phishing email does find its way in to an employee’s inbox, there is more chance it will be avoided.
EB: Talking about social engineering, what do you think are the most common or dangerous scareware tatics in use today?
AB: Posing as a colleague is probably the easiest way that attackers infiltrate a network and introduce ransomware. If an employee’s account is breached, then it is all too easy for an attacker to simply send across an innocuous looking email with a ransomware-laced file to be downloaded. Because realistically, how many people are going to ignore that email labelled urgent from their CEO?
This all ties into employee education and teaching them to be alert to the signs of foul play. A misspelled word, an unusual file, or a request coming from a colleague you don’t usually work too closely with should all be double checked at source before being clicked on. Blacklisting files that are trying to execute programmes also provides employees with a vital safety net against an inadvertent ransomware download.
EB: Is ransomware a discussion seen at board level yet? What should the board be doing to defend and protect against ransomware?
AB: CEOs feels strongly that the boardroom must take this issue seriously, but the focus can be on the wrong area. With the rise in cyber crime such as ransomware, the amount of internal and external audits being undertaken has risen in parallel as people want to ensure they are doing all they can to combat this threat. While this is admirable in making sure the topic is taken seriously, this doesn’t get to the heart of the issue: the end user. C-level executives should be combatting the cost of extra audits by streamlining their security process through automation and standardisation – this will both benefit their users and help to keep the organisation’s margins healthy.
EB: Do you think the situation with ransomware is going to improve, or is it set to pose an even greater threat?
Andy Buchanan is Area Vice President, UK&I, RES